About nsinghvirk

Hello @Reflexion    Thanks for reaching out on LiveCommunity! To simplify Cortex XDR, the product team natively integrated a dedicated data lake that is delivered as part of the Cortex tenant. The natively integrated data lake can ingest data from all Palo Alto Networks data sources and all 3rd party sources. Ingestion of Palo Alto Networks network security logs can now be done directly without the need for Cortex Data Lake, CDL. Existing contracts will not be altered and the existing Cortex Data Lake will remain until renewal. At the time of renewal, Cortex Data Lake will be available as a separate purchase. ... View more

Hello @meanmach    Thanks for reaching out on LiveCommunity. You can achieve this using "join" stage which will combine data from both datasets. I have written an example query which you can modify according to your use case. dataset=incidents | fields incident_id, description as IncidentDesc | join (dataset = alerts | fields incident_id , cgo_name , initiated_by , action_process_instance_id ) as abc abc.incident_id = incident_id | fields incident_id , IncidentDesc , cgo_name , initiated_by , action_process_instance_id   Reference for join stage- https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @JahidAliyev    Thanks for reaching out on LiveCommunity! Please find below response to your queries. 1. Idly once you set device control settings to read only you should not be able to write/format to it. As confirmed by you that Rufus was able to delete the partitions but this makes the disk unusable anyway. However to investigate this further log analysis is required hence please open a support case. 2. Currently device control settings do not support blocking bluetooth devices. 3. Currently CD ROM settings only have allow and block mode. Read only mode is not supported.     ... View more

Hello @Shashanksinha    Thanks for reaching out on LiveCommunity! Can you please confirm what is your requirement? Because unit 42 is a threat research and incident response team. To know about the unit 42 services please reach out to your sales/account representative. ... View more

Hello @Zewwy    Thanks for reaching out on LiveCommunity! In order to analyse network activity you can take help from "network_story" present in XQL query builder. You can filter out traffic specific to this domain with field like dns_query. Additionally if you are ingesting your firewall logs into XDR then you can easily query network traffic and correlate the events to find the root cause.     ... View more

@luglg100    Please open a support case to investigate further. ... View more

Hello @KHassan    Thanks for reaching out on Live Community. Unfortunately this forum is only for XDR related discussions. Please ask XSOAR related questions in below forum. https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions   ... View more

Hello @luglg100    Thanks for reaching out on LiveCommunity! Please make sure that you have fulfilled all the below prerequisites to run scripts on an endpoint. Cortex XDR Pro Per Endpoint license Endpoints running the Agent v7.1 and later. Since the agent uses its built-in capabilities and many available  Python  modules to execute the  script s, no additional setup is required on the endpoint. Role with the following permissions to run and configure  script s: Run Standard  script s Run High-risk  script s Script  configuration (required to upload a new  script , run a snippet, and edit an existing  script ) Script s (required to view the  Script s Library and the  script  execution results)   Note: Running snippets requires both Run High-risk  script s and  Script  configuration permissions. Additionally, all  script s are executed as System User on the endpoint.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @Syedhkt    Thanks for reaching out on LiveCommunity! This forum is only for XDR discussions. Please go to below forum for asking XSOAR related questions. https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions ... View more

Hello @Venkatesh_Konar    Thanks for reaching out on LiveCommunity! CGO is the process which XDR after its causality analysis find response for the suspicious activity. It may not be the first process or initiator process. CGO can have its parent process also. So idly in the chain of events CGO is the process which triggered suspicious behaviour.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more